How To Detect And Find Rogue Cell Towers

Software defined radios are getting better and better all the time. The balaclava-wearing hackers know it, too. From what we saw at HOPE in New York a few weeks ago, we’re just months away from being able to put a femtocell in a desktop computer for under $3,000. In less than a year, evil, bad hackers could be tapping into your cell phone or reading your text message from the comfort of a van parked across the street. You should be scared, even though police departments everywhere and every government agency already has this capability.

These rogue cell sites have various capabilities, from being able to track an individual phone, gather metadata about who you have been calling and for how long, to much more invasive surveillance such as intercepting SMS messages and what websites you’re visiting on your phone. The EFF calls them cell-site simulators, and they’re an incredible violation of privacy. While there was most certinaly several of these devices at DEF CON, I only saw one in a hotel room (you catchin’ what I’m throwin here?).

No matter where the threat comes from, rogue cell towers still exist. Simply knowing they exist isn’t helpful – a proper defence against governments or balaclava wearing hackers requires some sort of detection system.. For the last few months [Eric Escobar] has been working on a simple device that allows anyone to detect when one of these Stingrays or IMSI catchers turns on. With several of these devices connected together, he can even tell where these rogue cell towers are.

A Stingray / cell site simulator detector

Stingrays, IMSI catchers, cell site simulators, and real, legitimate cell towers all broadcast beacons containing information. This information includes the radio channel number, country code, network code, an ID number unique to a large area, and the transmit power. To make detecting rogue cell sites harder, some of this information may change; the transmit power may be reduced if a tech is working on the site, for instance.

To build his rogue-cell-site detector, [Eric] is logging this information to a device consisting of a Raspberry Pi, SIM900 GSM module, an Adafruit GPS module, and a TV-tuner Software Defined Radio dongle. Data received from a cell site is logged to a database along with GPS coordinates. After driving around the neighborhood with his rogue-cell-site detector sitting on his dashboard, [Eric] had a ton of data that included latitude, longitude, received power from a cell tower, and the data from the cell tower. This data was thrown at QGIS, an open source Geographic Information System package, revealing a heatmap with the probable locations of cell towers highlighted in red.

This device really isn’t a tool to detect only rogue cell towers – it finds all cell towers. Differentiating between a rogue and legitimate tower still takes a bit of work. If the heatmap shows a cell site on a fenced-off parcel of land with a big tower, it’s a pretty good bet that cell tower is legit. If, however, the heatmap shows a cell tower showing up on the corner of your street for only a week, that might be cause for alarm.

Future work on this cell site simulator detector will be focused on making it slightly more automatic – three or four of these devices sprinkled around your neighborhood would easily allow you to detect and locate any new cell phone tower. [Eric] might also tackle triangulation of cell sites with an RF-blocking dome with a slit in it revolving around the GSM900 antenna.

I like the hardware solution, but to get enough data for this to be useful to actually find rogue towers, apps are the way. Also, WTF clickbait headline, “This device really isn’t a tool to detect only rogue cell towers – it finds all cell towers. Differentiating between a rogue and legitimate tower still takes a bit of work.” vs “HOW TO DETECT AND FIND ROGUE CELL TOWERS”

I wonder if the app is really able to differentiate between a real and masquerading tower. The per ITU standard the base stations publish their location but there is no guarantee the location is legit, signal boosters used in urban environments would probably make the task even more complicated if the signal strenght is used as unit of distance.

Pretty sure I had an app on my phone that showed me the location of cell sites at one point.

As for identifying the rogue sites, there are a lot of buildings around here that have their own “site” (more than a femtocell less than a tower) that would make that more difficult…

Friend of mine worked for a carrier, and saw the maps for cell towers, there was one intersection that had 4 cell sites all with in 100 feet of each other, and it was totally legit, 1 was a tower, 3 were in office spaces that got poor signal inside the building (because the tower was above them and the antenna’s don’t point down, and even if they did metal roofs would shield the signal).

The key in picking up rogue sites is either looking for a moving site (stingrays on a plane) or looking for a new site to be created… just identifying what is there doesn’t help unless you have a list of known legitimate sites to compare against.

Bypassing the internet has it’s advantages. [ as long as the encryption is strong enough. ] multi band parallel transfer via SDR might be an avenue for success. I guess it would feel like wireless dialup if only one frequency was used.

No need to guess if the tower in question is legit. The FCC has a database of every cell tower in operation. There are places online with interactive maps so I’m sure there’s a *.shp for the data already out there.

So…cell base stations have unique ID numbers (and a bunch of other parameters). I suspect that if you get inside the protocol, stingrays would stick out like sore thumbs (some of the transmitted fields would be default values, vs. carefully programmed in real base stations) But, of course, all these fields would be different for each provider…

So, if that’s the case, they should be detectable. I don’t know enough about the current protocols to know for sure, but it seems like two towers with the same tower ID would be a problem for the protocol.

Someone should be able to get a PhD out of this :-) Or, maybe we’ll see a really interesting paper at a future hacking convention.

Wonder who will be the first to pick up a surplus Stingray at a GSA auction?

There’s one big problem with cell-site detectors under the current operational theory: they assume that the malicious equipment isn’t broadcasting all the time, but that legitimate towers are. The detector can only compare “new” or “temporary” signals to pre-existing ones. That means if someone is broadcasting with malicious equipment early enough and/or long enough, they’ll be logged as a legit tower.

Okay, that made me laugh. I’m serious, though. The only publicly-available database of legitimate cell towers I’ve examined (http://opencellid.org/) is out of date and incomplete at best. I’m sure there are others, but they’ll always depend on the notion that their first snapshot contains only legitimate towers.

In a nutshell, what I’m saying is the current method by which cell-site simulators operate is inadequate. It’s a good start, but there need to be frequent, intelligent checks on the data to make sure it doesn’t mislabel malicious equipment as legitimate, or allow malicious equipment that’s already in the data to remain.

In some citys they hide real towers inside old abandoned buildings.
Massachusetts (USA) has some ugly old factory buildings with dozens of broken windows and homeless people inside.
And cellular antennae on the roof.

Basically, you should always assume that your communications are being intercepted. Whether by your corporate IT dept, the NSA, local police, the Black Hat next door, or your mom, you’re likely to be spied on at any time. (Whether or not your data gets analyzed is another question). If you want to communicate privately, you need to employ adequate and rigorous encryption (and avoid 3rd party apps that claim to not have the keys or not save your messages but really do). If you want to go a step further, always use encryption so that your more sensitive messages do not stand out. Rotate keys often my friends!

Which is essentially functionally correct in our current Orwellian society…
I am all for realists, but, it is getting to the point that I am considering setting up my phone on my own openbts tower and turning off roaming.
At least then I would have another layer of obscurity.

I thought about that too, but I think this way is just a tiny bit simpler.

With a (rotating) directional antenna, you need to actually rotate the antenna. That means either putting RF through a slip ring, which is probably a bad idea, or just putting an entire module on a slip ring turntable. You could scan back and forth, but that’s an inelegant solution. Not to mention a Yagi is long so you’re swinging a lot of mass around.

The ‘rotating dome’ is significantly more simple. It would be a straight connection through an RF shielded base and a motor off to the side of the dome. Put an encoder or hall sensor on the rotating part, and you’re done. In my mind, it’s just a simpler way to have a constantly rotating directional antenna, and you’re going to need a constantly rotating antenna for what he’s using this for.

You will get less gain with the shielded dipole than a real directional antenna though. Ignoring near-field effects of the dome, the antenna will still work as a dipole, with only a small sector actually receiving. The gain in the pointing direction is thus just 2.1dBi. Taking into account back-reflection will likely increase the gain somewhat, but will result in decreased directivity. Difficult to say really without simulating it.

I would try rotating a patch antenna back-and-forth. Much less mass than a Yagi.

Rough… I know… without examples the of using in books for Fox Hunting or Radio Direction Finding… people will think it’s Voodoo or something that’s not real.

With my kit… I figured I’d go with synthetic aperture for starters upgrading from the yagi… then updating to have multiple synthetic aperatures to create a passive synthetic aperture phased array as the goal.

Good call… how is the bandwidth and gain on the smart antennas? A phased array of discones would be sweet.

Substantially less gain with that rotating radome idea plus it’d have to be a shielded radome which would be both heavy and expensive. Also, that radome would become an RF cavity to a certain extent. RF goes through slip rings all the time for both RADAR and SATCOM.

I want an inexpensive cell phone signal repeater/booster where an antenna can be put outside a building with bad reception inside, and the rest of the thing, with more antennas, can be inside the building. It would need to work with all the different frequencies etc.

Dunno why big companies like WalMart and Home Depot don’t have them in their stores already, especially when they push using their mobile websites for people to look for stuff to buy. “Use our mobile app, if you can get a signal inside our metal buildings that are nearly as RF tight as a Faraday cage.”

Reason Wal-Mart don’t sell them, I suspect, is because they’re expensive (a few hundred $ IIRC) and a niche market. That, and the potential disaster of letting People Of Wal-Mart install their own cell repeaters. You’d have more dead zones full of noise than you would actual signal. For which people would compensate, by buying more repeaters.

Actually, sounds like a good business plan. Make bad repeaters and get them into the hands of a small percent of an area, they interfere with normal signal, so more people come to buy them, and the process repeats. Just have to make sure that repeaters improve the signal for the ones who buy them and damages everyone else’s.

$3000 femtocell in a PC? What about this? http://www.att.com/att/microcell/
Out of the box it must get registered on the ATT network and only accepts individually permissioned phone numbers, but how tough would it be to hack?

Also, I just installed an Att METROCELL at a new building a finished. It supports up to 64 lte devices and it doesn’t require registering the numbers ala the microcell. Still only supports att band devices though. It’s been working great for the ~6wks I’ve had it up and running – only problem was it cost $5k, and that still irks me that I have to pay to allow att to provide service in my building. They should be giving them away to business customers….

Cell-site simulator are commonly called IMSI catchers or Stingrays. These are those devices that masquerade as a legitimate cell phone tower, tricking phones nearby into connecting to the device in order to log the IMSI numbers of mobile phones in the area or capture the content of communications. IMSI is simple words is an identifying number that is unique to each cell phone that stands for International Mobile Subscriber Identity. A cell-site simulator accurately and precisely describes the full capability of these devices.

If anyone is absolutely serious about wanting to detect (for whatever purposes…the more sinister the better) a fake cell tower, it’s really as easy as adjusting your search parameters to the coordinates that I reside,. One might call my claim paranoid, another the beginning of a delusion of grandeur, another ……? In the not too distant past I researched ‘gang stalking’ and other related topics. Those people all sound bat shit crazy.